svn commit: r316185 - in head/sys: kern security/audit

Wed Mar 29 23:31:37 UTC 2017

Author: rwatson
Date: Wed Mar 29 23:31:35 2017
New Revision: 316185
URL: https://svnweb.freebsd.org/changeset/base/316185

Log:
  When handling msgsys(2), semsys(2), and shmsys(2) multiplex system calls,
  map the 'which' argument into a suitable audit event identifier for the
  specific operation requested.
  
  Obtained from:	TrustedBSD Project
  MFC after:	3 weeks
  Sponsored by:	DARPA, AFRL

Modified:
  head/sys/kern/sysv_msg.c
  head/sys/kern/sysv_sem.c
  head/sys/kern/sysv_shm.c
  head/sys/security/audit/audit.c
  head/sys/security/audit/audit.h
  head/sys/security/audit/audit_arg.c
  head/sys/security/audit/audit_bsm_klib.c
  head/sys/security/audit/audit_private.h

Modified: head/sys/kern/sysv_msg.c
==============================================================================

--- head/sys/kern/sysv_msg.c	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/kern/sysv_msg.c	Wed Mar 29 23:31:35 2017	(r316185)
@@ -73,6 +73,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/jail.h>
 
+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
 FEATURE(sysv_msg, "System V message queues support");
@@ -1639,6 +1640,7 @@ freebsd32_msgsys(struct thread *td, stru
 
 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
     defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	switch (uap->which) {
 	case 0:
 		return (freebsd7_freebsd32_msgctl(td,
@@ -1810,6 +1812,7 @@ sys_msgsys(td, uap)
 {
 	int error;
 
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	if (uap->which < 0 || uap->which >= nitems(msgcalls))
 		return (EINVAL);
 	error = (*msgcalls[uap->which])(td, &uap->a2);

Modified: head/sys/kern/sysv_sem.c
==============================================================================
--- head/sys/kern/sysv_sem.c	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/kern/sysv_sem.c	Wed Mar 29 23:31:35 2017	(r316185)
@@ -62,6 +62,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/jail.h>
 
+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
 FEATURE(sysv_sem, "System V semaphores support");
@@ -1692,6 +1693,7 @@ sys_semsys(td, uap)
 {
 	int error;
 
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	if (uap->which < 0 || uap->which >= nitems(semcalls))
 		return (EINVAL);
 	error = (*semcalls[uap->which])(td, &uap->a2);
@@ -1791,6 +1793,7 @@ freebsd32_semsys(struct thread *td, stru
 
 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
     defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	switch (uap->which) {
 	case 0:
 		return (freebsd7_freebsd32_semctl(td,

Modified: head/sys/kern/sysv_shm.c
==============================================================================
--- head/sys/kern/sysv_shm.c	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/kern/sysv_shm.c	Wed Mar 29 23:31:35 2017	(r316185)
@@ -87,6 +87,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysproto.h>
 #include <sys/jail.h>
 
+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
 #include <vm/vm.h>
@@ -1300,6 +1301,7 @@ int
 sys_shmsys(struct thread *td, struct shmsys_args *uap)
 {
 
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	if (uap->which < 0 || uap->which >= nitems(shmcalls))
 		return (EINVAL);
 	return ((*shmcalls[uap->which])(td, &uap->a2));
@@ -1315,6 +1317,7 @@ freebsd32_shmsys(struct thread *td, stru
 
 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
     defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	switch (uap->which) {
 	case 0:	{	/* shmat */
 		struct shmat_args ap;

Modified: head/sys/security/audit/audit.c
==============================================================================
--- head/sys/security/audit/audit.c	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/security/audit/audit.c	Wed Mar 29 23:31:35 2017	(r316185)
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 1999-2005 Apple Inc.
- * Copyright (c) 2006-2007, 2016 Robert N. M. Watson
+ * Copyright (c) 2006-2007, 2016-2017 Robert N. M. Watson
  * All rights reserved.
  *
  * Portions of this software were developed by BAE Systems, the University of
@@ -472,6 +472,24 @@ audit_commit(struct kaudit_record *ar, i
 		/* Convert the auditon() command to an event. */
 		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
 		break;
+
+	case AUE_MSGSYS:
+		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
+			ar->k_ar.ar_event =
+			    audit_msgsys_to_event(ar->k_ar.ar_arg_svipc_which);
+		break;
+
+	case AUE_SEMSYS:
+		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
+			ar->k_ar.ar_event =
+			    audit_semsys_to_event(ar->k_ar.ar_arg_svipc_which);
+		break;
+
+	case AUE_SHMSYS:
+		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
+			ar->k_ar.ar_event =
+			    audit_shmsys_to_event(ar->k_ar.ar_arg_svipc_which);
+		break;
 	}
 
 	auid = ar->k_ar.ar_subj_auid;

Modified: head/sys/security/audit/audit.h
==============================================================================
--- head/sys/security/audit/audit.h	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/security/audit/audit.h	Wed Mar 29 23:31:35 2017	(r316185)
@@ -1,7 +1,13 @@
 /*-
  * Copyright (c) 1999-2005 Apple Inc.
+ * Copyright (c) 2016-2017 Robert N. M. Watson
  * All rights reserved.
  *
+ * This software was developed by BAE Systems, the University of Cambridge
+ * Computer Laboratory, and Memorial University under DARPA/AFRL contract
+ * FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
+ * (TC) research program.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -109,6 +115,7 @@ void	 audit_arg_svipc_cmd(int cmd);
 void	 audit_arg_svipc_perm(struct ipc_perm *perm);
 void	 audit_arg_svipc_id(int id);
 void	 audit_arg_svipc_addr(void *addr);
+void	 audit_arg_svipc_which(int which);
 void	 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
 void	 audit_arg_auditon(union auditon_udata *udata);
 void	 audit_arg_file(struct proc *p, struct file *fp);
@@ -282,6 +289,11 @@ void	 audit_thread_free(struct thread *t
 		audit_arg_suid((suid));					\
 } while (0)
 
+#define	AUDIT_ARG_SVIPC_WHICH(which) do {				\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_svipc_which((which));				\
+} while (0)
+
 #define	AUDIT_ARG_TEXT(text) do {					\
 	if (AUDITING_TD(curthread))					\
 		audit_arg_text((text));					\
@@ -373,6 +385,7 @@ void	 audit_thread_free(struct thread *t
 #define	AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
 #define	AUDIT_ARG_SOCKADDR(td, dirfd, sa)
 #define	AUDIT_ARG_SUID(suid)
+#define	AUDIT_ARG_SVIPC_WHICH(which)
 #define	AUDIT_ARG_TEXT(text)
 #define	AUDIT_ARG_UID(uid)
 #define	AUDIT_ARG_UPATH1(td, dirfd, upath)

Modified: head/sys/security/audit/audit_arg.c
==============================================================================
--- head/sys/security/audit/audit_arg.c	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/security/audit/audit_arg.c	Wed Mar 29 23:31:35 2017	(r316185)
@@ -1,7 +1,13 @@
 /*-
  * Copyright (c) 1999-2005 Apple Inc.
+ * Copyright (c) 2016-2017 Robert N. M. Watson
  * All rights reserved.
  *
+ * Portions of this software were developed by BAE Systems, the University of
+ * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
+ * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
+ * Computing (TC) research program.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -616,6 +622,19 @@ audit_arg_svipc_addr(void * addr)
 }
 
 void
+audit_arg_svipc_which(int which)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_svipc_which = which;
+	ARG_SET_VALID(ar, ARG_SVIPC_WHICH);
+}
+
+void
 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
 {
 	struct kaudit_record *ar;

Modified: head/sys/security/audit/audit_bsm_klib.c
==============================================================================
--- head/sys/security/audit/audit_bsm_klib.c	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/security/audit/audit_bsm_klib.c	Wed Mar 29 23:31:35 2017	(r316185)
@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 1999-2009 Apple Inc.
- * Copyright (c) 2005, 2016 Robert N. M. Watson
+ * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
  * All rights reserved.
  *
  * Portions of this software were developed by BAE Systems, the University of
@@ -141,6 +141,29 @@ static const struct aue_open_event aue_o
 	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
 };
 
+static const int aue_msgsys[] = {
+	/* 0 */ AUE_MSGCTL,
+	/* 1 */ AUE_MSGGET,
+	/* 2 */ AUE_MSGSND,
+	/* 3 */ AUE_MSGRCV,
+};
+static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
+
+static const int aue_semsys[] = {
+	/* 0 */ AUE_SEMCTL,
+	/* 1 */ AUE_SEMGET,
+	/* 2 */ AUE_SEMOP,
+};
+static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
+
+static const int aue_shmsys[] = {
+	/* 0 */ AUE_SHMAT,
+	/* 1 */ AUE_SHMDT,
+	/* 2 */ AUE_SHMGET,
+	/* 3 */ AUE_SHMCTL,
+};
+static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
+
 /*
  * Look up the class for an audit event in the class mapping table.
  */
@@ -555,6 +578,43 @@ audit_semctl_to_event(int cmd)
 }
 
 /*
+ * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
+ * audit events, if possible.
+ */
+au_event_t
+audit_msgsys_to_event(int which)
+{
+
+	if ((which >= 0) && (which < aue_msgsys_count))
+		return (aue_msgsys[which]);
+
+	/* Audit a bad command. */
+	return (AUE_MSGSYS);
+}
+
+au_event_t
+audit_semsys_to_event(int which)
+{
+
+	if ((which >= 0) && (which < aue_semsys_count))
+		return (aue_semsys[which]);
+
+	/* Audit a bad command. */
+	return (AUE_SEMSYS);
+}
+
+au_event_t
+audit_shmsys_to_event(int which)
+{
+
+	if ((which >= 0) && (which < aue_shmsys_count))
+		return (aue_shmsys[which]);
+
+	/* Audit a bad command. */
+	return (AUE_SHMSYS);
+}
+
+/*
  * Convert a command for the auditon() system call to a audit event.
  */
 au_event_t

Modified: head/sys/security/audit/audit_private.h
==============================================================================
--- head/sys/security/audit/audit_private.h	Wed Mar 29 23:13:04 2017	(r316184)
+++ head/sys/security/audit/audit_private.h	Wed Mar 29 23:31:35 2017	(r316185)
@@ -226,6 +226,7 @@ struct audit_record {
 	struct vnode_au_info	ar_arg_vnode1;
 	struct vnode_au_info	ar_arg_vnode2;
 	int			ar_arg_cmd;
+	int			ar_arg_svipc_which;
 	int			ar_arg_svipc_cmd;
 	struct ipc_perm		ar_arg_svipc_perm;
 	int			ar_arg_svipc_id;
@@ -303,6 +304,7 @@ struct audit_record {
 #define	ARG_ATFD2		0x0008000000000000ULL
 #define	ARG_RIGHTS		0x0010000000000000ULL
 #define	ARG_FCNTL_RIGHTS	0x0020000000000000ULL
+#define	ARG_SVIPC_WHICH		0x0200000000000000ULL
 #define	ARG_NONE		0x0000000000000000ULL
 #define	ARG_ALL			0xFFFFFFFFFFFFFFFFULL
 
@@ -463,7 +465,10 @@ au_event_t	 audit_ctlname_to_sysctlevent
 au_event_t	 audit_flags_and_error_to_openevent(int oflags, int error);
 au_event_t	 audit_flags_and_error_to_openatevent(int oflags, int error);
 au_event_t	 audit_msgctl_to_event(int cmd);
-au_event_t	 audit_semctl_to_event(int cmr);
+au_event_t	 audit_msgsys_to_event(int which);
+au_event_t	 audit_semctl_to_event(int cmd);
+au_event_t	 audit_semsys_to_event(int which);
+au_event_t	 audit_shmsys_to_event(int which);
 void		 audit_canon_path(struct thread *td, int dirfd, char *path,
 		    char *cpath);
 au_event_t	 auditon_command_event(int cmd);
